NAV 5.0 and embedded files

["Michael W. Shaffer" <shaffer () LABS AGILENT COM>]

Product:       Norton (Symantec) Antivirus
Platform:      Win32
Versions:      5.0
Problem:       Files 'embedded' in Word and Excel documents appear to
               evade scanning.

I have noticed what appears to me to be a disturbing lapse in the
scanning procedure of Norton Antivirus 5.0 Win32. I am looking for
corroboration and confirmation or denial from anyone else who has
noticed this or can reproduce it. I also apologize if this is a known
issue (I could not find anything about it in the BUGTRAQ archives).

We run multiple virus scanning systems at our site:

- Trend Micro InterScan Virus Wall on SMTP gateways
- NAV 5.0 on Windows workstations and file servers
- Sophos antivirus on UNIX file and proxy servers

While responding to a recent complaint of infection from a user here,
I was told that the customer believed they had been infected with a
copy of Win32 Fun Love contained in an 'embedded package' in an Excel
spreadsheet that she had received from a co-worker. While investigating
the complaint, the local Exchange administrator and I ran several tests
including emailing and opening Word and Excel documents which had infected
files embedded in them. We tested this with plain and password protected
files with the infected files inserted by simple 'drag and drop' from
Explorer as well as through 'Object Packager'. When we emailed the
documents with infected embedded files, they were caught and deleted
without exception by InterScan at the email gateways. I was somewhat
surprised to find that InterScan even detected the infected content in
*password protected* files. I remember reading that the security mechanism
involved in the Excel password protection scheme is not particularly
robust, but I did think that it involved at least a minimal encryption of
the file which was protected. I am assuming that either the files are not
actually encrypted, the embedded content is not encrypted, or (unlikely
I think) that ISVW is actually cracking the files by brute force in order
to scan them. Perhaps someone else knows more about this than I.

In any event, the alarming thing was that NAV 5.0 failed to detect *any*
of the infected embedded objects when the enclosing documents were
either opened or scanned manually. NAV 'Auto Protect' *did* detect the
malicious content when the embedded object was either saved or launched
from within the document, but not before. If this lapse can be confirmed
it seems rather dangerous since it would appear to represent a simple
method for transporting and storing malicious content in a NAV protected
environment. In our case, this sort of thing would most likely be stopped
at the email gateways if it was ever mailed, but a huge amount of data
moves around our intranet through file sharing, FTP, HTTP, and other means
besides email.

To test this, do the following:

- Turn off NAV Auto Protect
- Obtain a copy of some malware or the EICAR test pattern file
- Open a new Word or Excel document
- Drag the malware from an Explorer window into the new document window
- If prompted, pick 'copy here'
- Close the document, right click on it, and select 'Scan with Norton
  AntiVirus'
- You should see 'No viruses found in this scan'
- Repeat the scan on the malware or pattern file
- You will probably see a notification that a virus has been detected
  and/or cleaned
- Close the document
- Re-enable NAV Auto Protect
- Launch the document again
- Norton should not warn of any infection
- If you attempt to save or launch the infected object, then Auto Protect
  should detect it and produce a warning

I have not tested this yet with NAV 7.0.

--
Michael W. Shaffer                     email: shaffer () labs agilent com
Research Computing Services            phone: +1 650.485.2955
Agilent Laboratories, Palo Alto        fax:   +1 650.485.5568
----------------------------------------------------------------------
Public Key:         http://alcatraz.labs.agilent.com/shaffer/publickey
----------------------------------------------------------------------